I am trying to create stored procedure which will decide which language to use based on a parameter passed?
How can I do something like this ?
declare #en varchar(50) = 'en'
declare #fi varchar(50) = 'fi'
select * from [#en].[TestingLanguagesInNameSpacesDelMe]
select * from [#fi].[TestingLanguagesInNameSpacesDelMe]
I would also advocate a single-table/language-segmented design where all the languages are stored in a single table with a language column.
Dynamic SQL may be potentially vulnerable to SQL injection. If the #LANG variable cannot be trusted (or if the schema and table need to be validated to be a valid combination), you can check it against sys.schemas using a technique like this:
DECLARE #template AS varchar(max)
SET #template = 'SELECT * FROM {object_name}'
DECLARE #object_name AS sysname
SELECT #object_name = QUOTENAME(s.name) + '.' + QUOTENAME(o.name)
FROM sys.objects o
INNER JOIN sys.schemas s
ON s.schema_id = o.schema_id
WHERE o.object_id = OBJECT_ID(QUOTENAME(#LANG) + '.[TestingLanguagesInNameSpacesDelMe]')
IF #object_name IS NOT NULL
BEGIN
DECLARE #sql AS varchar(max)
SET #sql = REPLACE(#template, '{object_name}', #object_name)
EXEC (#sql)
END
Now you have the power and flexibility of dynamic sql, but it is not vulnerable to injection.
You could use Dynamic SQL:
DECLARE #SQL varchar(MAX)
SELECT #SQL = 'select * from ['
+ #LANG
+ '].[TestingLanguagesInNameSpacesDelMe]'
sp_executesql #SQL
But I would consider using a SINGLE table with an indexed COLUMN with the language:
select * from [dbo].[TestingLanguagesInNameSpacesDelMe] where [lang] = #LANG
How about this?
declare #sqlCall varchar(200)
set #sqlCall = 'select * from [' + #language + '].[TestingLanguagesInNameSpacesDelMe]'
exec #sqlCall
I would have to agree with the other posted answer, make a column that indicates the language and just filter on the language..
-- Yep I also concluded that it is the dynamic sql ..
declare #tableName varchar(50)
set #tableName ='TestingLanguagesInNameSpacesDelMe'
declare #sql nvarchar(200)= 'select * from '
declare #fi varchar(40) = 'fi'
declare #en varchar(50) = 'en'
set #sql = #sql + '[' + #fi + '].[' + #tableName + ']'
print #sql
exec sp_executesql #sql
Related
I'm currently editing a procedure, let's call it A, that does some manipulations of a temporary table created in procedure B (so procedure B calls A). Procedure B contains one argument, which is the name of the said temporary table.
That being said, we need to retrieve all the columns (in a CSV) of the temporary table into a variable. Since the name is not the same everytime, I need to use dynamic SQL.
Here is what I have:
-- Input parameters: #sTempTableName VARCHAR(MAX) --> Name of the temporary table to alter
DECLARE
#sColumns AS NVARCHAR(MAX) = '',
#sAlterTableDynamicSQL AS VARCHAR(MAX)
SET #sAlterTableDynamicSQL =
'
SELECT #sColumns = #sColumns + [name] + N'','' FROM Tempdb.Sys.Columns WHERE [object_id] = object_id(''tempdb..' + #sTempTableName + ''')
'
PRINT (#sAlterTableDynamicSQL)
EXEC (#sAlterTableDynamicSQL)
This fails saying that I need to declare #sColumns since it does not exists (I guess variables aren't shared between connections). How can I manage to do this ? I figured I could create another temporary table to hold that CSV, but I'm thinking there should be another way.
You should use sp_executesql statement. It would look like this:
DECLARE
#sColumns NVARCHAR(MAX),
#sAlterTableDynamicSQL NVARCHAR(MAX),
#temptableid INT = 3;
SELECT #sAlterTableDynamicSQL =
N'SELECT #sColumns = STRING_AGG([name], '','') FROM Tempdb.Sys.Columns WHERE [object_id] = + CAST(#temptableid AS VARCHAR(10))';
EXEC sp_executesql #sAlterTableDynamicSQL, N'#sColumns NVARCHAR(MAX) OUTPUT, #temptableid INT', #sColumns = #sColumns OUTPUT, #temptableid = #temptableid
SELECT #sColumns;
You can pass through variables to dynamic SQL via sp_executesql
Note that you should always use QUOTENAME to escape object names
Also, dynamic SQL variables should always be nvarchar
You also should not use variable coalescing to aggregate, instead use STRING_AGG or FOR XML
DECLARE
#sColumns AS NVARCHAR(MAX) = '',
#sAlterTableDynamicSQL AS NVARCHAR(MAX),
#sGUID AS VARCHAR(MAX) = CAST(NEWID() AS VARCHAR(MAX))
SET #sAlterTableDynamicSQL =
'
SELECT #sColumns = STRING_AGG(CAST([name] AS nvarchar(max)), N'','')
FROM Tempdb.sys.columns
WHERE [object_id] = object_id(N''tempdb..' + QUOTENAME(#sNomTableTemporaire, '''') + ''');
';
PRINT (#sAlterTableDynamicSQL);
EXEC sp_executesql
#sAlterTableDynamicSQL,
N'#sColumns nvarchar(max) OUTPUT'
#sColumns = #sColumns OUTPUT;
But you don't actually need dynamic SQL here at all. You can pass the table name straight to object_id()
DECLARE
#sColumns AS NVARCHAR(MAX) = '',
#sAlterTableDynamicSQL AS NVARCHAR(MAX),
#sGUID AS VARCHAR(MAX) = CAST(NEWID() AS VARCHAR(MAX))
SELECT #sColumns = STRING_AGG(CAST([name] AS nvarchar(max)), N',')
FROM Tempdb.sys.columns
WHERE [object_id] = object_id(N'tempdb..' + QUOTENAME(#sNomTableTemporaire));
For SQL Server 2016 and earlier, you can use the FOR XML PATH('') method
Is there a way to do something like this? People is the name of the table.
declare #placeholder varchar(20) = 'People'
select * from #placeholder
Or something like this where the table name is People_Backup.
declare #placeholder varchar(20) = '_Backup'
select * from People#placeholder
And is there a way to add in dynamic sql the value of a variable?
something like this:
declare #placeholder nvarchar(20) = 'people'
declare #name nvarchar(30) = 'antony'
declare #query nvarchar(1000) = 'select * from ' + #placeholder + ' where
first_name=' + #name
exec sp_executesql #query
I mean: without do this
exec sp_executesql #query, N'#name varchar(30)', #name
Thank you for the answers.
Not without dynamic SQL.
Parameters in SQL are placeholders for data, and can't be used as placeholders for anything else (which includes commands such as select, update etc' and identifiers such as database name, schema name, table name, column name etc').
The only way to parameterize table names is to use dynamic SQL - meaning you must build a string containing the SQL you want to execute, and then execute it.
Beware - dynamic SQL might be an open door for SQL injection attacks - so you must do it wisely - here are some ground rules:
Always white-list your identifiers (using system tables or views such as sys.Tables or Information_schema.Columns)
Always use sysname as the datatype for identifiers.
The sysname data type is used for table columns, variables, and stored procedure parameters that store object names. The exact definition of sysname is related to the rules for identifiers. Therefore, it can vary between instances of SQL Server.
Never pass SQL commands or clauses in parameters - set #placeholder = 'select a, b, c' or set #placeholder = 'where x = y' is a security hazard!
Always use parameters for data. Never concatenate parameters into your sql string: set #sql = 'select * from table where x = '+ #x is a security hazard. Always create your dynamic SQL to use parameters as parameters: set #sql = 'select * from table where x = #x'
Always use sp_executeSql to execute your dynamic SQL statement, not EXEC(#SQL).
For more information, read Kimberly Tripp's EXEC and sp_executesql – how are they different?
Always wrap identifiers with QUOTENAME() to ensure correct query even when identifiers include chars like white-spaces
To recap - a safe version of what you are asking for (with an additional dynamic where clause to illustrate the other points) is something like this:
#DECLARE #TableName sysname = 'People',
#ColumnName sysname = 'FirstName'
#Search varchar(10) = 'Zohar';
IF EXISTS(
SELECT 1
FROM Information_Schema.Columns
WHERE TABLE_NAME = #TableName
AND COLUMN_NAME = #ColumnName
)
BEGIN
DECLARE #Sql nvarchar(4000) =
'SELECT * FROM +' QUOTENAME(#TableName) +' WHERE '+ QUOTENAME(#ColumnName) +' LIKE ''%''+ #Search +''%'';'
EXEC sp_executesql #Sql, N'#Search varchar(10)', #Search
END
-- you might want to raise an error if not
To answer your question after edited directly:
I mean: without do this exec sp_executesql #query, N'#name varchar(30)', #name
Yes, you can do it without using sp_executeSql, but it's dangerous - it will enable an attacker to use something like '';DROP TABLE People;-- as the value of #name, so that when you execute the sql, your People table will be dropped.
To do that, you will need to wrap the #name with ' -
declare #placeholder nvarchar(20) = 'people'
declare #name nvarchar(30) = 'antony'
declare #query nvarchar(1000) = 'select * from ' + QUOTENAME(#placeholder) + ' where
first_name=''' + #name +''''
exec(#query)
I mean: without do this exec sp_executesql #query, N'#name varchar(30)', #name
Yes, you can do that as
--Use MAX instead of 1000
DECLARE #SQL nvarchar(MAX) = N'SELECT * FROM ' + #placeholder + ' WHERE first_name = '''+#name +'''';
EXECUTE sp_executesql #SQL;
I am trying to execute this query:
declare #tablename varchar(50)
set #tablename = 'test'
select * from #tablename
This produces the following error:
Msg 1087, Level 16, State 1, Line 5
Must declare the table variable "#tablename".
What's the right way to have the table name populated dynamically?
For static queries, like the one in your question, table names and column names need to be static.
For dynamic queries, you should generate the full SQL dynamically, and use sp_executesql to execute it.
Here is an example of a script used to compare data between the same tables of different databases:
Static query:
SELECT * FROM [DB_ONE].[dbo].[ACTY]
EXCEPT
SELECT * FROM [DB_TWO].[dbo].[ACTY]
Since I want to easily change the name of table and schema, I have created this dynamic query:
declare #schema sysname;
declare #table sysname;
declare #query nvarchar(max);
set #schema = 'dbo'
set #table = 'ACTY'
set #query = '
SELECT * FROM [DB_ONE].' + QUOTENAME(#schema) + '.' + QUOTENAME(#table) + '
EXCEPT
SELECT * FROM [DB_TWO].' + QUOTENAME(#schema) + '.' + QUOTENAME(#table);
EXEC sp_executesql #query
Since dynamic queries have many details that need to be considered and they are hard to maintain, I recommend that you read: The curse and blessings of dynamic SQL
Change your last statement to this:
EXEC('SELECT * FROM ' + #tablename)
This is how I do mine in a stored procedure. The first block will declare the variable, and set the table name based on the current year and month name, in this case TEST_2012OCTOBER. I then check if it exists in the database already, and remove if it does. Then the next block will use a SELECT INTO statement to create the table and populate it with records from another table with parameters.
--DECLARE TABLE NAME VARIABLE DYNAMICALLY
DECLARE #table_name varchar(max)
SET #table_name =
(SELECT 'TEST_'
+ DATENAME(YEAR,GETDATE())
+ UPPER(DATENAME(MONTH,GETDATE())) )
--DROP THE TABLE IF IT ALREADY EXISTS
IF EXISTS(SELECT name
FROM sysobjects
WHERE name = #table_name AND xtype = 'U')
BEGIN
EXEC('drop table ' + #table_name)
END
--CREATES TABLE FROM DYNAMIC VARIABLE AND INSERTS ROWS FROM ANOTHER TABLE
EXEC('SELECT * INTO ' + #table_name + ' FROM dbo.MASTER WHERE STATUS_CD = ''A''')
Use:
CREATE PROCEDURE [dbo].[GetByName]
#TableName NVARCHAR(100)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
DECLARE #sSQL nvarchar(500);
SELECT #sSQL = N'SELECT * FROM' + QUOTENAME(#TableName);
EXEC sp_executesql #sSQL
END
You can't use a table name for a variable. You'd have to do this instead:
DECLARE #sqlCommand varchar(1000)
SET #sqlCommand = 'SELECT * from yourtable'
EXEC (#sqlCommand)
You'll need to generate the SQL content dynamically:
declare #tablename varchar(50)
set #tablename = 'test'
declare #sql varchar(500)
set #sql = 'select * from ' + #tablename
exec (#sql)
Use sp_executesql to execute any SQL, e.g.
DECLARE #tbl sysname,
#sql nvarchar(4000),
#params nvarchar(4000),
#count int
DECLARE tblcur CURSOR STATIC LOCAL FOR
SELECT object_name(id) FROM syscolumns WHERE name = 'LastUpdated'
ORDER BY 1
OPEN tblcur
WHILE 1 = 1
BEGIN
FETCH tblcur INTO #tbl
IF ##fetch_status <> 0
BREAK
SELECT #sql =
N' SELECT #cnt = COUNT(*) FROM dbo.' + quotename(#tbl) +
N' WHERE LastUpdated BETWEEN #fromdate AND ' +
N' coalesce(#todate, ''99991231'')'
SELECT #params = N'#fromdate datetime, ' +
N'#todate datetime = NULL, ' +
N'#cnt int OUTPUT'
EXEC sp_executesql #sql, #params, '20060101', #cnt = #count OUTPUT
PRINT #tbl + ': ' + convert(varchar(10), #count) + ' modified rows.'
END
DEALLOCATE tblcur
You need to use the SQL Server dynamic SQL:
DECLARE #table NVARCHAR(128),
#sql NVARCHAR(MAX);
SET #table = N'tableName';
SET #sql = N'SELECT * FROM ' + #table;
Use EXEC to execute any SQL:
EXEC (#sql)
Use EXEC sp_executesql to execute any SQL:
EXEC sp_executesql #sql;
Use EXECUTE sp_executesql to execute any SQL:
EXECUTE sp_executesql #sql
Declare #tablename varchar(50)
set #tablename = 'Your table Name'
EXEC('select * from ' + #tablename)
Also, you can use this...
DECLARE #SeqID varchar(150);
DECLARE #TableName varchar(150);
SET #TableName = (Select TableName from Table);
SET #SeqID = 'SELECT NEXT VALUE FOR ' + #TableName + '_Data'
exec (#SeqID)
Declare #fs_e int, #C_Tables CURSOR, #Table varchar(50)
SET #C_Tables = CURSOR FOR
select name from sysobjects where OBJECTPROPERTY(id, N'IsUserTable') = 1 AND name like 'TR_%'
OPEN #C_Tables
FETCH #C_Tables INTO #Table
SELECT #fs_e = sdec.fetch_Status FROM sys.dm_exec_cursors(0) as sdec where sdec.name = '#C_Tables'
WHILE ( #fs_e <> -1)
BEGIN
exec('Select * from ' + #Table)
FETCH #C_Tables INTO #Table
SELECT #fs_e = sdec.fetch_Status FROM sys.dm_exec_cursors(0) as sdec where sdec.name = '#C_Tables'
END
I'm trying to pass the server name as a variable in a Exec(#sqlstring) stored procedure. However I cannot get the correct syntax and I'm pretty much all out of ideas.
The server name is UK-DATA-SQL-P01 or UK-DATA-SQL-P02 which is why I need to use it as a variable so the user can select.
The syntax I'm trying to use to pass the variable is:
INNER JOIN ' + #ServerName + '.' + #DBName + '.[dbo].
I'm sure that this is simple but any help would be much appreciated.
Thanks in advance
You can also use OPENDATASOURCE. Something like this :
INNER JOIN OPENDATASOURCE('SQLOLEDB','Data Source = ServerName; User ID = Username; Password = Password').[DatabaseName].[DatabaseOwner].[TableName] Z ON...
PS. You'd need to enable Ad Hoc Distributed Queries for this to work.
How To Enable Ad Hoc Distributed Queries - For Reference
Hope it helps.
I've been using Synonyms to achieve similar:
Create Procedure ReturnServerDbTable (#Server as nvarchar(50), #DB as nvarchar(50), #Table as nvarchar(50))
as
begin
declare #sql as nvarchar(500)
set #sql = 'CREATE SYNONYM ServerDBTable FOR ' + #Server + '.' + #db + '.dbo.' + #table
exec(#sql)
select * from ServerDBTable
DROP SYNONYM ServerDBTable
end
Use something like this just a sample then you can extend
create proc sampleProc
#tableName varchar(100) ,
#serverName varchar(100)
as
begin
declare #tableName1 varchar(100)
set #tableName1='Sales'
declare #fullname varchar(500)
set #fullname = #serverName+'.'+ #tableName
print (#fullname)
DECLARE #SQLQuery AS NVARCHAR(500)
SET #SQLQuery = ' SELECT * FROM '+ #fullname + ' inner join ' + #tableName1 + ' on id=custid'
print (#SQLQuery)
--EXECUTE(#SQLQuery)
end
--usage like this
exec sampleProc 'server','customer'
declare #tableName varchar(100)
set #tableName='Customers'
-- this is previous answer
declare #tableName1 varchar(100)
set #tableName1='Sales'
DECLARE #SQLQuery AS NVARCHAR(500)
SET #SQLQuery = ' SELECT * FROM '+ #tableName + ' inner join ' + #tableName1 + ' on id=custid'
print (#SQLQuery)
EXECUTE(#SQLQuery)
I got this dynamic code:
declare #TableName varchar(100)='Customer'
declare #DestinationcolumnList NVARCHAR(MAX)
DECLARE #ServerName NVARCHAR(100) = '----'
DECLARE #SourceDatabase NVARCHAR(100) = 'Staging'
DECLARE #DestinationDatabase NVARCHAR(100) = 'History'
declare #SQL NVARCHAR(MAX)
set #SQL='
select
'+#DestinationcolumnList+' = coalesce('+#DestinationcolumnList+', '''') +'',''+ char(13) + char(10) + quotename(cast(d.COLUMN_NAME as varchar(128)))
from ['+#ServerName+'].['+#DestinationDatabase+'].INFORMATION_SCHEMA.COLUMNS d
inner join ['+#ServerName+'].['+#SourceDatabase+'].INFORMATION_SCHEMA.COLUMNS s
on d.TABLE_NAME = s.TABLE_NAME
and s.COLUMN_NAME = d.COLUMN_NAME
where d.TABLE_NAME = '''+#TableName+'''
order by d.ORDINAL_POSITION
'
exec sp_executesql #SQL
select #DestinationcolumnList
its giving NULL value. when I execute same code without dynamic SQL its working fine. How scope of the variable works in dynamic SQL.
Thanks in advance.
In Dynamic SQL, variables declared outside the dynamic string are used to build a string, they are not used as a part of the string, so they cannot be used the way you are trying to do it: doing the undocumented trick of concatenating a variable with itself to produce a single string in a SELECT statement.
If you made the variable declaration part of the string, it should work:
set #SQL='
declare #DestinationcolumnList NVARCHAR(MAX);
select
#DestinationcolumnList = coalesce(#DestinationcolumnList, '''') +'',''+ char(13) + char(10) + quotename(cast(d.COLUMN_NAME as varchar(128)))
from ['+#ServerName+'].['+#DestinationDatabase+'].INFORMATION_SCHEMA.COLUMNS d
inner join ['+#ServerName+'].['+#SourceDatabase+'].INFORMATION_SCHEMA.COLUMNS s
on d.TABLE_NAME = s.TABLE_NAME
and s.COLUMN_NAME = d.COLUMN_NAME
where d.TABLE_NAME = '''+#TableName+'''
order by d.ORDINAL_POSITION;
select #DestinationcolumnList;
'
exec sp_executesql #SQL